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Cu ■ Abstract 

In this paper, we describe a different approach to the proof of the nonexistence of 
homogeneous rotation symmetric bent functions. As a result, we obtain some new results 
which support the conjecture made in this journal, i.e., there are no homogeneous rotation 
symmetric bent functions of degree > 2. Also we characterize homogeneous degree 2 
rotation symmetric bent functions by using GCD of polynomials. 
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o; 1 Motivation 

Since the introduction in the seventies by Rothaus [T], bent functions have been intensively 
J> . studied in the past three decades, and widely used in cryptography and error-correction coding 

due to their nice cryptographic and combinatoric properties. For example, the highest possible 
nonlinearity of bent functions can be used to resist the differential attack and the linear attack 
in symmetric cipher. 

Recently, homogeneous rotation symmetric (Abbr. RotS) Boolean functions have attracted 
attentions (see [H |31 H]) because of their highly desirable property, i.e. they can be evaluated 
, efRciently by re-using evaluations from previous iterations. Consequently, when efficient evalu- 

ation of the function (for example, design of some cryptographic algorithm, such as MD4 and 
MD5) is essential, these functions can serve as a good option. 

It is natural to ask what kind of homogeneous RotS bent functions exist. In fact, homoge- 
neous bent functions are of interest in literature [5J 111 [71 HI [HI . Stanica and Maitra [3 [7] 
studied RotS bent functions up to 10-variables. They enumerated all RotS bent functions in 
8-variables. 4 ■ 3776 such functions of degree 2 were found. However, they couldn't find any 
homogeneous RotS bent functions of degree 3,4 and 5 in 10 variables. Thus they made the 
following conjecture. 

Conjecture 1.1 There are no homogeneous rotation symmetric bent functions of degree > 2. 

Let us summarize known results related to the above conjecture. Observing that bent func- 
tions are in fact Hadamard difference sets, Xia et al.[8] showed that there are no homogeneous 
bent functions of degree n in 2n variables for every n > 3. By using the relationship between 
the Fourier spectra of a Boolean function at partial points and the Fourier spectra of its sub- 
functions, Meng et al.^ got a low bound of degree for homogeneous bent functions. From the 
view point of nonlinearity, Stanica |11) obtained the following nonexistence results (see Section 
2 for the notation SANF of a Boolean function): 

Theorem 1.2 The following hold for a homogeneous RotS f of degree d > 3 in n variables: 
(i) If the SANF of f is xi ■ ■ ■ Xd, then f is not bent. 
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(ii) If the SANF of f is xi ■ ■ ■ Xd+xi ■ ■ ■ Xd-iXd+i, then f is not bent, assuming: > [^J, 
ifn^ l{mod d); ^ > [^J, i/n = l{mod d). 

(Hi) If the SANF of f is x"^ + ■ • ■ + x""*, then f is not bent when dj < ■J0jpi where 
df = Maxi,j{j2 ~ ji\uij, = Uij^ =1, Uij ^0 if ji < j < J2}. 

In this paper we will introduce another method which may be more suitable for investigating 
homogeneous RotS bent functions. By using the rotation symmetric forms of RotS functions, 
we obtain more nonexistence results which are unaccessible by Theorem 11.21 For example our 
results imply that most homogeneous degree d{> 3) RotS bent functions with SANF forms 
containing xi ■ ■ ■ Xd cannot exist. Also, we give an equivalent characterization of homogeneous 
degree 2 RotS bent functions by GCD of polynomials. 



2 Preliminaries 

In this section we list some basic definitions and notations about homogeneous rotation sym- 
metric Boolean functions and bent functions. 

Let F2 be the vector space of dimension n over the two element field F2. A Boolean 
function /(xo, • ■ • , Xn-i) in n variables is a map from to F2. For x — {xi, • • • , a;„), u = 
(ui,--- ,Un) e Fj. Denote x" = x"^ •■•a;JJ". Then every Boolean function / is uniquely of 

the form /(x) = ^ x", where U/ C F2. Let |u| be the Hamming weight of u G Fj. The 
ueu^ 

algebraic degree of / is defined to be Maa;{|u| | u G U/}. 

By A\\B we mean the concatenation of two bit strings A and B. We use J^(respectively 

/ 

^) to represent 1 (respectively 0) string of length I, and 1 * ■ ■ ■ * 1 to represent a bit string 

I I 
of length I, with the first and the last bit to be 1. 

We define an operation © over F2 to be x ® ?/ G F2 such that x (B y = H and only if 
a; = and y — 0. (B can be extended to F2 by this way: for x, y G Fj, x © y = (xi © 
yi, ■ • • , x„©y„). Let 1 < I < n, the operation p'(-) acing on F2 is defined to be p'(a;i, • • • , a;„) = 
{xn-i+i , Xn-i+2 , ' ' " i x„ , xi , ■ • ■ , Xn-i ) , where n + / = Z if / > 0. The cycle length of x G F^ 
is the least number I such that p'(x) = x. Obviously l:^\n and = ^p(x)- 

Definition 2.1 A Boolean function /(x), is called rotation symmetric (Abbr. RotS) if 

/(x) = /(p(x)), for all X G 

It is clear that a RotS function / is of the form 



l<j<m 0<i<iu. -1 

where to > 1, Uj G Fj (1 < i < rn). Since the existence of x"' implies the existence of x''^"'^ we 
can represent a RotS function / by the so-called short algebraic normal form (Abbr. SANF) 
x"i H -l-x"". 

Definition 2.2 For a Boolean function f{x), the Fourier transform of f at c G Fj is defined 
as 

/(c) = J2 (-l)^(^^+'=■^ 

xGFJ 

where ■ is dot product of two vectors in ¥2 ■ 

Definition 2.3 A Boolean function /(x) is called bent if 

I /(c) I = 2"/2 for all c G F^. 
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It is well-known that if f{xi, ■ ■ ■ , a;„) is bent, then n must be even, and the algebraic degree 
of / is upper-bounded by n/2. 

Let /(x) x"i H hx"-", define 



hf{u) = Yl (-2)*^+- 



■+t„ 



0<ti, -- ,tm<l 

«iui©---©t„u„=u 



It is not difficult to deduce that 

/(c) = (-I)l'=l.^2"-H;i;(u), 

u^c 

where )^ is a partial order on such that (wi, • • • , u„) [vi, ■ ■ ■ , w„) if Ui = Vi or [ui, Vi) = 
(1, 0). We also have the inverse formula: 

/i/(u) = (-l)H.2H-".^7(c). 

By the above formulas and Definition 12.31 one can prove that 
Lemma 2.4 flU [7^ Let n be even and /(x) = x"^ + ■ • ■ + x"™ . Then f is bent if and only if 

,, / f = n/2 if u = 1, 

\ J \ // y > |u| — n/2 if u^l. 

where V2{-) is the 2—adic order function, 1 represents the vector (1, • • • , 1) G • 

3 The result 

Let / be a RotS function of homogeneous degree d, SANF of / is ^ x"', where = 

l<2<m 

(wii,Mj2, • • ■ ,Uin),Uii = 1, and |uj| = d. 
We assume 

Di = Max{j\uij = 1,1 < j < n},l < i < m, 
Di = Min{D^\l <i <m}. 

Theorem 3.1 Let f he a RotS bent function of homogeneous degree d > 3, the SANF of f is 
J2 and ui = Ai\\Bdi-i\\0 ■ ■ -0, 1 < I < Di, where Ai = 1 * ■ ■ ■ * 1,Bd^~i = 1 * • • • * 1. 

If for alll<i<m, u, =^ Ai\\ 0_^\\Bd,-i\\0_^ and u, =^ Bd,-i\\ 0_^\\Ai\\ , where 

Di-Di n-Di TL-kDi kDi-Di 

kd < n, then 

fc.(d-l)<^. 

Proof. Let 

uo = ui ® p^^ (ui) ® • • • © (Ui), 

where kd < n. 

Because |ui| = d for all 1 < z < m, we deduce that 

Mini ^ Cij \ ^ ^ ejjy'(ui) = Uo,eij = 0,1 > = fc. 

[l<i<m4<j<n l<i<ml<j<n-l J 

Since for ah 1 < i < m, U; ^ Ai\\ 0_^\\BD,-i\\0_^a.nd u, ^ Bd,-i\\ 0_^\\Ai\\ , 

Di-Di n-Di n-kDi kDi-Di 

the only solution such that Min < ^ Cij > = k for the equation 

I l<i<m,l<j<n I 



® Bijp'iu,) = Uo, e^j = 0, 1, 

l<z<m l<j<n— 1 
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uo = ui ® (ui) ® • • • © pC^-i)^! (Ui). 
Hence we get W2(/i/(uo)) = k. Since kd < n, Uq 7^ 1. By Theorem 12.41 we have 

W2(/i/(uo)) = fc > |u| - ^ = fed - ^, 

and thus fc • (d - 1) < f . ■ 

The above theorem imphes nonexistence of many RotS bent functions. For example, we get 

Proposition 3.2 For a RotS Junction f of homogeneous degree d>S, the following nonexis- 
tence results hold, 

(1) If the SANF ^ x"* of f contains — Xi - ■ -Xd, and Ui(2 < i < m) is not of the 

1 < i < m 

form then f is not bent. 

I Di-d d-l n-Di 

(2) If the SANF of f is xi ■ ■ ■ Xd -\- xi ■ ■ ■ Xd~iXd+i, then f is not bent. 

(3) Suppose the SANF of f be XiX2+ni^z+ni+n2 '^^^ n — q(D + tiq) + r + {ni + 1), where 
"•ij "2 ^ 0, rio — Max{ni, n2}, -D = ni + ri2 + 3, g > 1, < r < _D + rio. // q{D — Uq — 1) > 
r + ni + 1, then f is not bent. 

Proof. 

(1) If d I n. Let n ^ qd + r,0 < r < d,q> 2. 

Since x"^ = xi ■ ■ ■ Xd, and Ui{2 < i < m) is not of the form i using 

/ Di-d d-l n-Di 

Theorem [SHJ we have 

k-{d-i)<^, i<fc<L^j . 



Let k — [^J ~ q. Thus qd < 2q + r < 2q + d, which produces d < 2 



9-1 ■ 



(1.1) If q = 2, then d < 2 + ~ 4, so the only choice for d is d = 3. By again qd < 2q + r, 
we have r > 3, conflicting with r < d = 3. 

(1.2) If (? = 3, then d < 2 + ^ = 3, conflicting with d > 3. 

(1.3) If g > 4, then d < 2 + ^ < 3, conflicting with d > 3. 

If d\n, let n = qd, q > 2. We choose k = [^-J —1 = ^ — 1. Similarly using Theorem 13. 11 we 
have 

X , , n qd 

{q-l).(d-l)<-^^, 

which produces d < 2 + . 

(1.4) li q = 2, then n = 2d. We choose another 

uo = ui©p'^-i(ui) = l_^||0. 

n-l 

Similarly we get t)2(ft./(uo)) = 2. By Theorem EH V2{hf{uo)) = 2 > \uq\ - n/2 = 
n — 1 — n/2. Therefore n < 6. So d = n/2 < 3, conflicting with d > 3. 

(1.5) If q = 3, then d < 2 + = 4. Thus d = 3 and n = qd = 9. Obviously this is impossible 



since a bent function of n variables can exist for even n. 
2 

q-2 



(1.6) If g > 4, then d < 2 + < 3, conflicting with d > 3. 
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(2) Denote Ui = 1_^||0_^, U2 = ||0||1|| 0_^, then the SANF of / is x"i + x"^ 

d n—d d—1 n—d—1 

If n 7^ 0, l{mod d), let n = qd + r,l < r < d,q > 2. We choose 

uo = ui ® (ui) © • • • © p(9-i)^i (ui) ^ l_^Oj^, 

qd r 

and it is easy to see that W2(^/(uo)) = q- 

Using Theorem [2111 we obtain q- (d—l) < ^, and thus qd < 2q + r < 2q + d. The remaining 
discussions are the same as (1.1), (1.2) and (1.3). 

If n = 0{mod d), let n — qd, q >2. We choose 

uo = ui ©p^i(ui) © •••©p(«-2)^i(ui) = 1_;_10__^- 

{q-l)d d 

Similarly by Theorem 13. II we get d < 2 + -^j2- discuss the inequality in three cases: (? = 2, 
q = i and g > 4. The proof for the cases g = 3, 4 are the same as (1.5), (1.6) respectively. 
If q = 2, then n = 2d. We choose 

Uo = Ml® p'^-'^{xii)^l_^\\m. 

2d-2 

It is easy to see that W2('i/(uo)) — 2. By Theorem 12.41 we get W2(^/(uo)) — 2>2d — 2~ n/2. 
Thus d < A. Since > 3, we have d = 3,n = 6. However, RotS function over 6 variables with 
the SANF form xiX2Xz + xiX2Xi can be verified to be non-bent. 

The remaining case is n = l(mod d). Assume n — qd + 1. Wc choose 

Uo = ui © (ui) © • • • © (ui) = 1_^0__^. 

[q-l)d d+1 

Similarly we get d < 2 H — If g > 2, then d < 3, a contradiction to d > 3. If q = 2, then 
n = 2d + \. However, a Boolean functions in odd number variables cannot be bent. 

(3) Denote Ui = 1|| ||1|| — ||1|| — 0, then the SANF of / is x"i. 

ni n2 n — D 

Since n — q{D + no) + r + {ni + 1) and q > 1, we see that n — (ni + 1) > D + uq. Let 
"2 = © P'(ui), i.e. 



0<i<no-l 



Let 



U2 = 10_^10_^10 — 0© 

ni 112 n — D 

010_^10 — 01 ( 

ni 712 n — D — 1 



o_^io — oio_^i 

no ni 712 n—D — no 

i_^|| . 

D-\-nQ n — D — no 



Uo = © P'(^+"'')(U2) 

0<i:<fe-l 

D+no D+no n-k{D+no) 

= 1---1 II 0---0 , 



k{D+na) n-k{D+no) 

where 1 < fc < [ "~"^^~"'" J . It is not difficult to see that V2{hf{uo)) — fc(no + 1). 

Let k = V'oTn„^ \ = 1- By Thcoremim we have V2{hf{uo)) = g(7io + l) > |uo| — n/2, which 
implies q{D — rio — 1) < r + ui + l. It follows that / is not bent if q{D — no — 1) > r + ni + 1. ■ 
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Remark 3.3 Note that the above nonexistence results could not he obtained by Theorem 
For example, the nonexistence of homogeneous RotS bent functions with SANF xi ■ ■ ■ Xd + 
Xi ■ ■ ■ Xd-iXd+i could not be proven by Theorem ] 1.21 

Remark 3.4 We remark that the statement "prove the nonexistence of homogeneous RotS bent 
functions of degree > 3 on a single cycle(i.e. the SANF is x" for some u)" in 114^ is incorrect. 
The proof is based on the assumption that all RotS functions of a single cycle are affinely 
equivalent to RotS functions with SANF xiX2 ■ • ■ Xd- In fact there are many RotS functions of 
a single cycle that are not affinely equivalent to xiX2 ■ ■ ■ Xd. 

In the following we will give a characterization of homogeneous RotS bent function of degree 
2. First recall two basic results about bent functions and circulant matrixes. A circulant matrix 
over F2 is of the form 

/ a, \ 
P(ai) 

V P"-Hai) J 

where ai = (an, • • • , ai„) G . So a circulant matrix can be represented by its first row ai. 
Further a circulant matrix over F2 can be represented by the polynomial ^ aijX^^^ G ¥2[x]. 

l<j<n 

Lemma 3.5 Quadratic Boolean function /(a^i, ■ • • ,Xn) — OijXiXj + ^ biXi is bent 

l<i<j<n l<i<n 

if and only if the matrix {aij)nxn is nonsingular, where a.ij = Oji G F2, an = 0, 1 < j < n. 

Lemma 3.6 Circulant matrix {aij)nxn over ¥2 is nonsingular if and only if the polynomials 
aijX^"^ and + 1 are relatively prime, i.e. GCD{ Y2 o,ijX^~^, a;" + 1) = 1. 

It can be verified that ^ XiXg-i+i with e > n/2 is in fact equal to ^ XiXn-e+i+i with 

l<i<n l<i<n 

n — e + 2<n/2 + l. So we can assume a homogeneous RotS function of degree 2 has SANF 
form xiXei + • • ■ + xiXe„^, where 2 < ei < 62 • ■ ■ < e™ < n/2 + l,m < n/2. Obviously, the 
associated matrix {aij)nxn of / is circulant, with the first row (an, • • • , ai„) such that 

an = 0, aie- = ai{n+2-ei} = 1, 1 < * < m,, and aij — ifj 7^ or n + 2 — e^. 

Thus the corresponding polynomial is ^ (x'^'^^+x""''^"'^'), where is assumed 

l<i<m 

to be x"/^ if 6; — 1 = n + 1 — = n/2. By Lemma [3.51 and Lemma [531 we have 

Theorem 3.7 Homogeneous RotS function f of degree 2 described as above is bent if and only 

GCD{ (x'^'-i +2;"+!-'='), 2;" + l) = L 

l<i<m 

Remark 3.8 A necessary condition for GCD{ ^ {x'^^^'^ + x"^-'^"'^'), a;" + 1) = 1 is a;"/^ 
should be contained in Y2 {x"^^^^ +x"'^^^'^^), i.e. the SANF of f must contain xiXn/2+i- For 

1 < i < m 

example, all homogeneous degree 2 RotS bent functions in 8— variables are (expressed in SANF 
forms, see J^): 

X1X5; X1X2 + X1X5; xix^+xix^; X1X4 + X1X5; xia;2 + xixa + xixs; 
xia;2 + a:ia;4 + xix^; X1X3 + xix^ + 0:1X5; 3:1X2 + X1X3 + X1X4 + X1X5. 
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4 Conclusion 



In this paper, we presented a different method suitable for the existence problem of homogeneous 
rotation symmetric bent functions, which leaded to some new results, and may be used to prove 
the nonexistence of most homogcncoiis rotation symmetric bent functions with degree > 2 once 
their SANFs are given. Since the conjecture is only partially proved, we expect a fully proof 
with the aid of our proposed method. 
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